Untitled :: Xygeni Documentation

Hardcoded Credentials

swift.hardcoded_credentials

Severity

high

Resource

Information leak

Language

Swift

Description

Hardcoded credentials refer to embedding usernames, passwords, or other forms of authentication data directly within the source code. This practice poses significant security risks, as it may enable unauthorized access if the code is exposed.

Rationale

When credentials such as usernames, passwords, API tokens, or cryptographic keys are statically coded into an application, they become susceptible to being exposed through source code leaks or reverse engineering. This issue is particularly concerning in Java applications, where decompilation attacks can easily reveal sensitive information embedded within the code.

The following code snippet shows hardcoded PostgresQL username and password:

import PostgresClientKit

do {
    var configuration = PostgresClientKit.ConnectionConfiguration()
    configuration.host = "127.0.0.1"
    configuration.port = 5432
    configuration.ssl = true
    configuration.database = "example"
    configuration.user = "sponge_bob"
    configuration.credential = .scramSHA256(password: "welcome1")

    let connection = try PostgresClientKit.Connection(configuration: configuration) // FLAW x2
    defer { connection.close() }
    // ...

 } catch {
   print("Error: \(error)")
 }

Remediation

To remediate the issue of hardcoded credentials in your applications, follow these best practices:

Externalize Credentials: Store sensitive information such as usernames and passwords in external configuration files, environment variables, or secure vaults. This method ensures that the actual codebase does not contain sensitive data, reducing the risk of exposure.

Environment Variables: Use environment variables to manage credentials. They can be set on the server or container running the application and accessed by the application at runtime.

Secure Configuration Management: Use a secure configuration management tool like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to store and access sensitive credentials securely. These tools provide mechanisms to manage, rotate, and control access to credentials.

Logical Separation: Implement logical separation of sensitive code and use principles like the 12-factor app to effectively manage configuration outside the source code.

Rotate and Audit: Regularly rotate credentials and perform audits to ensure that no hardcoded sensitive information exists within the codebase.

By adopting these remediation strategies, you can significantly reduce the risk associated with hardcoded credentials and ensure that your applications maintain a strong security posture.

To fix the example vulnerability, you may read the credentials from a configuration file or environment variables, or use a secrets vault.

import PostgresClientKit

do {
    var configuration = PostgresClientKit.ConnectionConfiguration()
    configuration.host = "127.0.0.1"
    configuration.port = 5432
    configuration.ssl = true
    configuration.database = "example"

    // FIXED - Read credentials from environment variables
    guard let dbUser = ProcessInfo.processInfo.environment["DB_USER"],
          let dbPassword = ProcessInfo.processInfo.environment["DB_PASSWORD"] else {
        fatalError("Database credentials not set in environment variables")
    }

    configuration.user = dbUser
    configuration.credential = .scramSHA256(password: dbPassword)

    let connection = try PostgresClientKit.Connection(configuration: configuration)
    defer { connection.close() }
    // ...

} catch {
    print("Error: \(error)")
}

Configuration

This detector does not need any configuration.

References

CWE-798 : Use of Hard-coded Credentials.
OWASP - Top 10 2021 Category A07 : Identification and Authentication Failures.
MASWE-0005: API Keys Hardcoded in the App Package.